Lots of outbound SIP Channels


Our FreePBX version has been running quite nicely for several months now, it is a small 5 extension system with 3 analogue trunks.

Today a user was cut off during a call, and had some other strange issues, a quick look at the system status showed the CPU at 100%. The log shows lots of the following messages.

[Dec 9 12:23:49] NOTICE[2590] chan_sip.c: Registration from ‘“4632” sip:[email protected]’ failed for ‘somebody-elses-external-ip’ - No matching peer found

There a thousands of these entries the “4632” number changes every no and again so is not constant. Asterisk Info, SIP Channels also shows thousands of active dialogs!

I decided to block the outgoing connections to the ‘somebody-elses-external-ip’ at our firewall, this also solved what I thought was a separate issue of our internet connection being very slow this morning.

After a few minutes the FreePBX system seems to have settled down, is back to its normal CPU load, and the SIP Channels are now at zero.

I have had a look at ‘somebody-elses-external-ip’ and it appears to belong to a US based industrial construction company that we have never heard of or deal with. We are a UK based software house.

So I suppose my question is has my box been hacked? Could any body give me pointers as to where to look further. Of course the Wikileaks story is hot at the moment but ourselves and the US company as far as I can tell nothing to do with that.

Chris Millard

Fail2ban will put a stop to this sort of thing. See http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

I had the same situation last week - a South African hacker pounding at my server with over 2,000 active channels

I found the script below, authored by Ryan on the PBXiaf team, which tests to see if an IP exceeds a pre-determined set of connections on one port (5060 for PBX), and if so, ban the IP.

Hope it helps

Script to block IPs if they have too many accesses on one Port

by ryan



Copyright © 2006, Ryan MacDonald [email protected]

2006, R-fx Networks [email protected]

email for alerts

email="[email protected]"

path to route command


1 = enabled, 0 or 2+ = disabled



ptrig=“80:50 443:50 110:40 25:40 26:40”

white space or comma seperate list too ignore files

the file /root/.fg_ipignore is a static ip ignroe file, line seperated

igfiles="/etc/apf/allow_hosts.rules /etc/apf/deny_hosts.rules /root/.fg_ipignore"

path to iptables firewall script


path to fguard log


temporary file location for netstat output


fetch hostname


unix time for lock tracking

utime=date +"%s"

lock file path


lock file timeout in seconds


max listings to use from connected hosts



eout() {

call arg 1 with value for string to be logged


call arg 2 with value 1 for logging too $fglog (eout “text” 1)

if [ ! “$output” == “” ] && [ “$logt” == “” ]; then
echo “$(date +”%b %d %H:%M:%S") fguard($$): $output"
elif [ ! “$output” == “” ] && [ “$logt” == “1” ]; then
echo “$(date +”%b %d %H:%M:%S") $(hostname -s) fguard($$): $output" >> $fglog

get_state() {

lock routine to prevent toe-stepping from multiple instances

if [ -f “$lock” ]; then
oval=cat $lock
if [ “$diff” -gt “$lock_timeout” ]; then
echo “$utime” > $lock
eout “cleared stale lock file file” 1
eout "cleared stale lock file file"
eout “locked subsystem, already running ? ($lock is $diff seconds old) - aborting” 1
eout "locked subsystem, already running ? ($lock is $diff seconds old) - aborting"
exit 1
echo “$utime” > $lock

and run the function - die if we are double running


cleanup files

clfiles() {
rm -f /root/.fg_igtmp
rm -f $ntl

touch /root/.fg_igtmp
chmod 600 /root/.fg_igtmp
if [ ! -f “/root/.fg_ipignore” ]; then
touch /root/.fg_ipignore
chmod 600 /root/.fg_ipignore

if [ ! -f “$ntl” ]; then
touch $ntl
chmod 640 $ntl*
chown root:wheel $ntl*
chmod 640 $ntl*
chown root:wheel $ntl*

if [ “$1” == “1” ]; then
rm -f $ntl*
rm -f /root/.fg.lock.utime

if [ ! -f “$fglog” ]; then
touch $fglog
chmod 640 $fglog
chown root:wheel $fglog
chmod 640 $fglog
chown root:wheel $fglog

clear temp files and create any required


loop through the ignore files, strip out #'s and place into a single file

for i in echo $igfiles; do
cat $i | grep -v “#” >> /root/.fg_igtmp

local addresses into ignore file

/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \ -f 1 | tr ’ ’ ‘\n’ >> /root/.fg_igtmp
echo “” >> /root/.fg_igtmp

cat /root/.fg_igtmp | grep -ie ‘[a-z|A-Z|0-9]’ > /root/.fg_igtmp2
mv /root/.fg_igtmp2 /root/.fg_igtmp

nice -n 19 netstat -na | grep tcp | sed ‘s/::ffff://’ | sed ‘s/::ffff://’ > $ntl 2> /dev/null

check status of connections against each port

for chk in echo $ptrig; do
port=echo $chk | tr ':' ' ' | awk '{print$1}'
trig=echo $chk | tr ':' ' ' | awk '{print$2}'
cat $ntl | grep :$port | awk ‘{print$5}’ | tr ‘:’ ’ ’ | awk ‘{print$1}’ | grep -vwf /root/.fg_igtmp | grep -E ‘[0-9]’ | sort -n | uniq -c | sort -n | tail -n $mlist > $ntl.run

audit amount of connections from each ip agains port

for audit in cat $ntl.run | awk '{print$1"%"$2}'; do
cnt=echo $audit | tr '%' ' ' | awk '{print$1}'
host=echo $audit | tr '%' ' ' | awk '{print$2}'
if [ ! “$host” == “” ]; then
# if already banned - ignore
banchk=grep -ri $host /etc/apf/deny_hosts.rules
# ban anyone connected above the $trig value for a port
if [ “$banchk” == “” ] && [ “$cnt” -gt “$trig” ]; then
eout “connection flood to port $port banned from $host - $cnt connections” 1
eout “connection flood to port $port banned from $host - $cnt connections”
$ipt_cmd -d $host “fguard ban: $cnt connections to port $port” >> /dev/null 2>&1
if [ “$route_ban” == “1” ]; then
$route_cmd add -host $host reject
# send email alert
echo “fguard monitor on $hname detected a connection based flood from $host connected to port $port with $cnt connections, the attacking host has been banned.” | mail -s “fguard alert from $hname” $email

cleanup files

clfiles 1